Krebs on Security

In-depth security news and investigation

How to Fight Mobile Number Port-out Scams

T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily “porting” your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark. Tips for minimizing the risk of number porting fraud are available below for customers of all four major mobile providers, including Sprint and Verizon.

Unauthorized mobile phone number porting is not a new problem, but T-Mobile said it began alerting customers about it earlier this month because the company has seen a recent uptick in fraudulent requests to have customer phone numbers ported over to another mobile provider’s network.

“We have been alerting customers via SMS that our industry is experiencing a phone number port out scam that could impact them,” T-Mobile said in a written statement. “We have been encouraging them to add a port validation feature, if they’ve not already done so.”

Crooks typically use phony number porting requests when they have already stolen the password for a customer account (either for the mobile provider’s network or for another site), and wish to intercept the one-time password that many companies send to the mobile device to perform two-factor authentication.

Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud.

In these cases, the fraudsters can call a customer service specialist at a mobile provider and pose as the target, providing the mark’s static identifiers like name, date of birth, social security number and other information. Often this is enough to have a target’s calls temporarily forwarded to another number, or ported to a different provider’s network.

“Port out fraud has been an industry problem for a long time, but recently we’ve seen an uptick in this illegal activity,” T-Mobile said. “We’re not providing specific metrics, but it’s been enough that we felt it was important to encourage customers to add extra security features to their accounts.”

In a blog post published Tuesday, AT&T said bad guys sometimes use illegal porting to steal your phone number, transfer the number to a device they control and intercept text authentication messages from your bank, credit card issuer or other companies.

“You may not know this has happened until you notice your mobile device has lost service,” reads a post by Brian Rexroad, VP of security relations at AT&T. “Then, you may notice loss of access to important accounts as the attacker changes passwords, steals your money, and gains access to other pieces of your personal information.”

Rexroad says in some cases the thieves just walk into an AT&T store and present a fake ID and your personal information, requesting to switch carriers. Porting allows customers to take their phone number with them when they change phone carriers.

The law requires carriers to provide this number porting feature, but there are ways to reduce the risk of this happening to you.

T-Mobile suggests adding its port validation feature to all accounts. To do this, call 611 from your T-Mobile phone or dial 1-800-937-8997 from any phone. The T-Mobile customer care representative will ask you to create a 6-to-15-digit passcode that will be added to your account.

“We’ve included alerts in the T-Mobile customer app and on MyT-Mobile.com, but we don’t want customers to wait to get an alert to take action,” the company said in its statement. “Any customer can call 611 at any time from their mobile phone and have port validation added to their accounts.”

Verizon requires a match on a password or a PIN associated with the account for a port to go through. Subscribers can set their PIN via their Verizon Wireless website account or by visiting a local shop.

Sprint told me that in order for a customer to port their number to a different carrier, they must provide the correct Sprint account number and PIN number for the port to be approved. Sprint requires all customers to create a PIN during their initial account setup.

AT&T calls its two-factor authentication “extra security,” which involves creating a unique passcode on your AT&T account that requires you to provide that code before any changes can be made — including ports initiated through another carrier. Follow this link for more information. And don’t use something easily guessable like your SSN (the last four of your SSN is the default PIN, so make sure you change it quickly to something you can remember but that’s non-obvious).

Bigger picture, these porting attacks are a good reminder to use something other than a text message or a one-time code that gets read to you in an automated phone call. Whenever you have the option, choose the app-based alternative: Many companies now support third-party authentication apps like Google Authenticator and Authy, which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept.

Several of the mobile companies referred me to the work of a Mobile Authentication task force created by the carriers last fall. They say the issue of unauthorized ports to commit fraud is being addressed by this initiative.

This entry was posted on Wednesday, February 28th, 2018 at 9:46 am and is filed under Latest Warnings, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
You can skip to the end and leave a comment. Pinging is currently not allowed.

I didn’t have any problems having this set up, but my account with T-Mobile is post-paid.
They actually had sent a message sometime back, but I had forgotten about it. Brian’s post was a timely reminder.

DIRECTV-only accounts – Non-bundled DIRECTV accounts that haven’t moved to att.com are still managed at directv.com.
U-verse app account – Learn how to sign in and stay connected to your U-verse TV from anywhere using the U-verse app on your mobile device.
AT&T PREPAIDSM (formerly GoPhone®) accounts – Your AT&T PREPAID 10-digit wireless number is not an Access ID, but you can use it to sign in and manage your AT&T PREPAID account.
Business accounts – If you’re a Small Business Online customer, please register or sign in to manage your Small Business account online.
Digital LifeTM accounts – For Digital Life, go to att.com/dllogin.
Some home phone accounts – If you have home phone service in certain states, you may need to sign in to AT&T Customer Center with your 10-digit phone number.

Brian, please devote a future column to how third-party authentication apps like Google Authenticator and Authy work and whether they are adequately secure.
Thank you for your informative and valuable work.

Piling on, in past comments on this topic, I’ve suggested that while 2-factor authentication (2FA) is a Good Idea, implementing it with text messages to mobile fones is a Bad Idea. As this article emphasizes, mobile fone service is itself insecure.

I, too, would be interested in a review of pluses and minuses of hardware-based 2FA (e.g.: YubiKey; dunno if there are hardware alternatives) and software-based 2FA (e.g.: Authy, Duo, Firekey, Google Authenticator). It’s likely each method has its strengths and weaknesses. “Best Practice” may vary depending on circumstances, but I’m glad to see consensus building against text messages to mobile fones.

Google (and perhaps others too), don’t allow you to setup an App based 2FA, without providing a phone number! This means that if the phone number gets hijacked, the hacker will be able to gain control of the account, and a capable hacker will immediately do away with the 2FA, Backup codes, Recovery address and so on! A real solution needs to be phone-free. A hardware based solution that Google Key offers is a bit expensive, but I’m leaning towards it.

Actually, Google will let you have 2FA that is not based on a phone number and it doesn’t cost anything (other than time)

However, to enable 2FA on your Google Account, you do need to setup phone voice or SMS 2FA first. But once it is enabled you can enable other better factors such as your printed backup codes and U2F or Google Authenticator and turn off the voice or SMS 2FA.

Another option – don’t use your carrier number for those kind of two factor authentication. I for example use my GV number which is on a different account than any service secured using that number. If someone manages to port my number away they won’t get much. The only people who use my carrier number. . . is my actual carrier.

Google voice is more likely to be compromised than your cell phone, especially since fewer than 10 percent of people use 2FA and most still use weak passwords. I also know that people who read this forum likely know how to lock down their Google accounts, but we are in the minority. So it makes sense to prevent VOIP numbers from being used for 2FA.

Hi Luis, no it won’t. I was with T for 12 years. Just before the story popped, I got my number ported out to MetroPCS. I had 6 digit code in place for years. Whenever I called in, online, etc, I had to provide it but they transferred my phone without even asking for it. I had a dead phone for 5 days waiting until they got it back. I then left T and went to another carrier. Customer service and security is terrible. I wish you the best of luck. I believe this is all part of the Equifax breach and they are going down the list. I had to change bank and email info also. Good Luck.

Very few (almost none) banks offer 2FA other than SMS. Some offer RSA key FOBs, but who wants to carry those around. Too bad none offers Yubikey. I have only seen one or two use a TOTP app like Google Authenticator. Still, SMS is far better than nothing.

1. Your comment is totally off-topic.
2. If you’re doing banking from a variety of locations or while out for a hike, where carrying an RSA key fob is a burden, you might be doing online banking wrong.

It’s me your friend Oma Arizona anyway can you give us the ability to to tweet the article I can’t find the Tweet button so I can tweet this specific article to Twitter so I can bring you more traffic I feel like artificial intelligence will be modeled after me because we live in a world with clicks and blinks and anybody was doing good should just be automatically rewarded someone like you should get a billion hips and should have grown into a major publishing news organization as a CEO out doing CNN and Fox network place where we can be trusted advice.

So please add the Twitter thing so that I am able to tweet the page I’m going to copy the link on the browsers into it it that way but it would be nice you can just click on something to tweet it multiple times anyway thanks for everything that you do we appreciate everything you do because of you are ethical standards and what you’re trying to accomplish something I’m very happy about thank you for your time God bless you

A lot of spam in comment sections and forums is like that now. I would guess people are trying to train their neural networks by making them wander around posting comments and rating their comments based on how many responses it gets and slightly more useful metrics like the actual sense the bot made in that comment, at least as determined by some poor guy making $.05/week halfway across the planet.

Token based 2FA is the way to go, now to get the sites that use SMS based to switch. Until then, we will still have this problem. My former bank (which I just left and is one of he biggest in the country) just switched to SMS based 2FA about six months ago after having no 2FA prior to that. This is the same bank that for awhile your initial online banking username was your SSN and is still the same bank with a 18 character max limit for your password.

Until more sites / services moved from SMS 2FA to token based 2FA, this will keep happening. I use a Google Voice number for any sites / services that use SMS 2FA. I don’t forward texts to my primary mobile number, I just use the Google Voice app and they come across that way.

I recently left my large bank and they just started SMS 2FA about six months ago after not having any 2FA prior to that. This is the same bank who used to issue your online banking (I signed on with them in the early days) username as your SSN. They still have a low max character password limit, I think its 14 characters.

I am a AT&T contract customer. I have their “extra security” enabled. They do ask for it on walk-in to an AT&T store. Also, I must provide it when logging in online, but online that page has a checkbox (unchecked by default) to disable it upon page submission (clicking OK). That is poor design, it should not be there, it should only be changeable once fully logged in in profile security settings.

I use my Google Voice number for SMS. I have my Google account setup with 2fa TOTP via Google Authenticator app. I cannot just not use many services which only support 2fa via SMS.

What gets me is SMS 2fa is actually harder to implement that TOTP for the organization. Harder in the fact that it takes extra steps from the common requirements. Companies act as if it is harder to implement TOTP. TOTP does require a customer to; 1) install an app (childs’-play) 2) configure it to login by scanning a QR code or entering a bit of info (Facebook requires more to create an account) 3) enter an initial code to complete the setup (same type of code as sent via SMS). I have other non -tech savvy doing it in a few minutes. Ongoing, the only difference is opening the TOTP app to retrieve the code instead of the SMS app.

BTW, it should be mentioned that SMS 2fa has been deprecated by NIST. A very good reason for this is the ease in which the SMS 2fa codes can be intercepted by port-out or SS7 attack. The cost of these attacks has dropped so much that only a few hundred dollars return is profitable. Automation has made it easy to make multiple attacks in short order.

I hear you about TOTP apps, and I prefer that way myself. But my org has learned the hard way that resistance can crop up in unexpected ways. There was a subset of users upset that we were suggesting they install an app on their personal phones; their argument was that our org shouldn’t “force” them to use their own equipment for our purposes. Upper management had to end up buying physical tokens for this situation.

To me, that was madness. An app hardly utilizes any resources on a phone, and the phone is a securable platform. Plus, most people will have it with them in just about any circumstance, so it’s not easily forgotten or as misplaceable as a tiny auth token. It combined convenience with security and at nearly zero cost to the end user (I’m counting the miniscule amount of data used when thinking “cost”… and even *that* isn’t an issue if connected to the corporate wireless network, or a home wifi if working remotely). But, there was pushback, and management had to relent.

A token is still good, don’t get me wrong. Much, much better than SMS. But it’s still flabbergasting to see this happen.

—–

Aside: You’re probably already aware of this, but since others here and in other forums have mentioned Google Voice in conjunction with SMS 2FA, I wanted to point out something: In the same recommendation where NIST deprecates SMS, they also recommend validation of a phone number to make sure it’s really a mobile device, and not a VOIP service. In their blog, they actually metion GV along with Skype (www.nist.gov/blogs/i-think-therefore-iam/questionsand-buzz-surrounding-draft-nist-special-publication-800-63-3). So if the real world stays true to form and some things get implemented before others, I can see a world where VOIP numbers are considered invalid for most 2FA implementations. Heck, there are already individual orgs out there who’ve done that.

Once a TOTP app is downloaded, it requires no data connection, it will operate forever in airplane mode. A TOTP app is like a token, more like a key-ring full of tokens, but a lot easier to carry.

I can understand employees not wanting anything for the employer on their personal device. I fully embrace that stance. The discussion though is not in reference to employee accounts with their employers.

Google Voice is not a VOIP service, it is a call forwarding, voicemail, and SMS service. Google Voice cannot be used without an underlying voice service, it can be used with VOIP though if you wish. I use mine with my cellphone voice service.

The time based code security authentication factor can be implemented quite easily with support for SMS, TOTP, and hardware tokens all in one implementation. The core algorithms are identical for each variation of time based code. It is organization choice alone which limits their time based code to SMS. Facebook has implemented support for both SMS and TOTP time based codes. Unfortunately you cannot have TOTP without SMS, on login they text a code or you can use the TOTP code, either will work, totally defeats the purpose behind enabling TOTP.

I use to belong to T-Mobile. I got caught up in the port out scam before the news broke. I already had a 6-digit code assigned. T-mobile moved me over to MetroPCS without even asking for the code. Due to that fact, I left them after 12 years. UNSAFE Service.

“Extra Security” means that a six digit passcode is required to log in to your account (in addition to your usual password), for all phone interactions, and for all in-store transactions. Sounds good, until you notice the “Forgot Passcode” link on the login page. Apparently you can bypass the passcode if you know the victim’s zip code and the last four digits of their social security number.

My thanks to Brian Krebs for this article, and for the “to-do” for us ordinary folks.

For CredoMobile, who piggyback on Sprint, contact CredoMobile account services and ask them to set up a PIN number on your account. When this has been done, they told me, I would thereafter need to provide that PIN number any time I want to do anything to the account.

The first two tech support people I spoke to did not know much about this topic. One of them said it’s very rare for this to happen. It’s hard for just anybody to steal your cell phone number. Well, of course, it’s not just anybody. It’s somebody who is after you or your online accounts, like your ex, your unpleasant neighbor, someone at work….

If you are a CredoMobile account holder, don’t let them convince you that this problem is not common and therefore you can go away and not bother them.

And, note that when you call them (from your Credo phone), all you need to give them is the zip code on the account, and they’ll provide service.

Their own people don’t know the jargon either. When I dialled 611, they connected me, apparently over a tin can on a string to customer service center in an underwater cave, to a customer service rep didn’t know what the port-out pin was, and kept talking about an “account password”. So I now have an 8 digit “password” assigned to–something. Maybe it is for porting the number, maybe it is for something else.

It is rather shameful that they don’t know their own jargon, that you can’t set this up over the web but have to call them, and when you do call them (the phone company) the sound quality is like something from 1882.

My approach is to maintain two Google accounts, each with Google’s advanced protection (i.e. you need a Yubikey to log in and account recovery is deliberately hard), one of which I use as my e-mail on sensitive accounts (like banks) and the other of which I use (through Google Voice and a burner phone) as my phone number on those accounts. I don’t use those Google accounts for anything else. I don’t use the burner phone for anything else (and it’s with a different carrier from my main phone). So if someone ports my phone, they don’t get much else. Someone could port the burner phone, but they’d have to know the number and only Google knows it.

I would like to do the same. But how do I get a second Google account? Google requires me to provide a phone number when I open an account. This prevents me from opening more than one Google account because I have only one non-Google phone number.

Never mind. I just realized that in this scenario I could use the number of the burner phone as the second phone number that is required for the second Google account. However, this leads to the question how to minimize the cost of the burner phone.

The lowest-cost low-use cell phone service that I have found is the Pay As You Go prepaid service from Tello, a Sprint MVNO, at $10.00/refill with no expiration if the service is used at least once every month and a cost of $0.01/SMS. The lowest-cost plan that I have found for areas without adequate Sprint coverage is the Pay-As-You-Go plan from Page Plus Cellular, a Verizon MVNO and a part of America Movil, at $10.00/refill with 120-day expiration and $0.05/SMS.

Correction: The Tello Pay As You Go service has to be used once every *three* months (not every month) to avoid balance expiration. I am not sure whether receiving an SMS is sufficient to qualify as such usage.

Correction: Usage once every *three* months, not once every month, is sufficient to prevent Tello Pay As You Go plan balance expiration. (Previously, it was once every six months.) I am not sure whether receiving an SMS is sufficient to prevent account expiration.

Virgin mobile used to send all account info, including PIN in one, single, email whenever a customer used their website to send them a message. I don’t know if they do that any more. I haven’t tried because SECURITY.

Virgin Mobile also at one time allowed PINs up to 10 digits. Later, they changed back to 4 digit PINs. (I guess they had a brainfart and decided to correct it?) Those who were lucky enough to set 10 digit PINs were allowed to keep them (so far) but Virgin Mobile has set things up so that they cannot be used by designing their website to force the 4-digit limit for the PIN using Javascript, and lately, some non-Javascript browser-side method that so far has not been circumventable. Fortunately, despite their lack of clue, real humans there still, mostly, accept the 10-digit PINs.

Virgin Mobile states they use “industry standard security practices”. Monkey-see, monkey-do. The same poor security as everyone else.

Called H2O after reading this article. Per support, as verification of your identity they will ask for three phone numbers that the customer frequently call or text since activation, the email address associated with the account and the SIM card serial number. Seems to be pretty good validation.